Open source encryption project's website, SourceForge pages defaced with warnings not to use the product due to 'security issues'

InfoWorld|May 29, 2014

In what's been variously described as a hacking attempt, a prank, a hoax, or a veiled message, the website and SourceForge repositories for the TrueCrypt encryption project now feature a warning not to use TrueCrypt due to "unfixed security issues."

Even stranger, both the source code and the binaries for TrueCrypt have been modified to prevent users from creating new encrypted volumes -- and the changed code appears to have been signed with legitimate encryption keys.

Consequently, speculation has run rampant about what actually happened. Maybe the changes in question were the product of a malicious hack attempt or a prank. Perhaps they were part of a larger plan to force the secretive TrueCrypt development team to reveal itself. Or maybe they had in fact been performed by TrueCrypt's own team, either voluntarily or under duress.

Aside from sporting a warning about TrueCrypt's alleged insecurity, the TrueCrypt website had been rewritten to recommend, inexplicably, that existing TrueCrypt users migrate to not another open source encryption system, but instead Microsoft's proprietary BitLocker encryption system.

Other aspects of the warning are also curious, since they seem to focus mainly on Windows, despite the fact that TrueCrypt is a cross-platform application. "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the site reads. (Windows XP support ended on April 8, 2014, not in May.)

Various security experts have since examined the changes to the site and the software. Among them is Kenn White, one of the members of the Open Crypto Audit Project that rallied resources and money to audit TrueCrypt's source code and determine how secure it was. Since the Project was preparing to make an announcement later in the week about a new Open Crypto Audit Project initiative, some speculated that the timing of the changes to TrueCrypt's site and code were part of it, but White tweeted that the announcement was "not [about] TC [TrueCrypt]".

Researcher Arrigo Triulzi performed his own analysis of the modified source code in TrueCrypt's SourceForge site, and other researchers noted that some changes within the sources hinted at them having been derived from a later version of the source code than the version used to generate the most recent legitimate binaries. The last legit binaries are version 7.1, but the new binaries are tagged with the version number 7.2.

Taylor Hornby of Defuse Security also noted, strangely enough, the 7.2 binaries were apparently signed by the same public key previously used by the TrueCrypt team. "Either legit, selective attack, or key compromise," he tweeted.

One possible explanation of those facts is that a hacker gained access to a computer used by a member of the TrueCrypt team and thus was able to steal both a newer edition of the source code and the public key. That by itself would bode badly enough for both the project and the team.

Researcher Steve Gibson is of the belief that the matching keys is reason enough to conclude the original team is responsible, and that given the team's penchant for secrecy and silence, their motives are most likely impossible to know.

Brian Krebs, the researcher who investigated the theft of massive amounts of personal data from the LexisNexis database, is also tilting toward the idea that the TrueCrypt team is indeed responsible. He notes "a cursory review of the site's historic hosting, WHOIS, and DNS records shows no substantive changes recently," which he feels rules out hacking.

Krebs also interviewed Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and one of the other supporters of the TrueCrypt audit effort. Green, too, was of the belief this was the work of the TrueCrypt team itself -- that "they decided to quit and this is their signature way of doing it."

Even if the TrueCrypt team has bailed on the project, Green noted, he will continue with the project to audit the TrueCrypt code nonetheless so that other people might resurrect the project and continue. But "maybe what they did today makes that impossible," Green said. "They set the whole thing on fire, and now maybe nobody is going to trust it because they'll think there's some big evil vulnerability in the code."

The only detail left that might confirm or deny this would be to receive some other official word from the TrueCrypt developers.

Yesterday, Green tweeted that he had "sent an email to our contact at Truecrypt. I'm not holding my breath though." So far, there has been no reply.